Cloud
11/26/2013
11:06 AM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: First Prism, Now Muscled Out Of Cloud

Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another.

The latest round of stunning revelations of National Security Agency (NSA) surveillance and data mining of cloud-based services and Internet communications has added a new term to our lexicon of government spying. In addition to Prism, we now have Muscular looming over cloud adoption.

The Muscular revelations are eye opening because, according to The Washington Post, they point to a far wider scope and far more indiscriminate data capture than even the Prism revelations suggest. This collection is done by intercepting private links that connect Google and Yahoo datacenters around the world -- and decrypting the traffic that should be protected in transit. Microsoft recently testified to the European Union Parliament that the company does not encrypt its server-to-server data communications. Another reveal is the fact that this program is being operated in conjunction with the United Kingdom's NSA counterpart, the Government Communications Headquarters. This is a broad issue as governments all over the world are accessing private data in ways that are only now being made public.

Inevitably, we find ourselves asking the same set of questions we did when reports of Prism emerged. But now there is an added twist: Is there any way to protect the privacy of cloud data, and, in fact, any point in encrypting data with the range of technical tools and programs at the NSA's disposal? We've learned of cloud service providers being compelled or cajoled to hand over the keys for encryption of data at rest. Does Muscular mean we are seeing the value of encryption of data in transit being undermined?

These new revelations certainly underscore the risk of cloud data landing in places outside enterprise controls. But we should be careful about overstating the implications for encryption technology as a whole.

First of all, the NSA has circumvented the SSL encryption process by tapping the provider's datacenter directly. The implication here is not that SSL is of no intrinsic value, but rather that evaluating (and monitoring) a cloud service provider's security posture is critical. Closing the barn door after the horse has bolted is not a sustainable operating principle. Also, it's important to bear in mind that there are plenty of threats (as well as compliance mandates) where SSL for encryption of data in transit has its uses.

However, the Muscular revelations bring home the fact that SSL serves to encrypt data in transit, but not the data itself.

Hoovering up data
Many of the enterprises we speak to understand that, in terms of current legislation, there is broad leeway for the NSA to Hoover up data -- and that technology will only provide a partial answer. As much as anything, changes in policy, process, and oversight are needed for enterprises to embrace cloud computing without putting their confidentiality, privacy, or compliance at risk.

Without direct knowledge of the NSA's inner workings, no cryptography expert is willing to rule out the notion that the agency has developed encryption-cracking capabilities. However, in order to crack common data encryption standards such as AES-256 bit to yield just a single key, the agency must have made exponential leaps in its abilities and computing capacity.

Instead, Muscular revelations point to the need for businesses to work with cloud service providers that adhere to third-party security frameworks -- and not simply assert, "We got this." This is why the adherence to the Cloud Security Alliance's Cloud Control Matrix should be the first order of business for any enterprise evaluating a cloud service provider.

As Gartner director Heidi Wachs points out in a company blog post, "If we're going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward."

So what remedies are open to enterprises that want to embrace the cloud? According to Wachs:

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

Ultimately, corporate data in the cloud is still exposed to any government's tools or its ability to twist cloud service providers' arms to hand over corporate data. Therefore, we need not only to separate out the need to address these programs through policy debate, but also to define steps that organizations can take directly to retain ownership and control of their data.

Bottom line: Enterprises absolutely must maintain direct ownership and control of their encryption keys and encrypt their data in all three states -- at rest, in transit, and in use. Any business not willing to take these steps should keep its data on the premises.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RussellWalker
50%
50%
RussellWalker,
User Rank: Apprentice
11/26/2013 | 1:56:37 PM
Here! Here!
The lazy buyer will make the hacker (legal or not) a happy person.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/27/2013 | 8:10:37 AM
Re: Here! Here!
Thanks for the heads up about Muscular, Elad. Gartner offers some good advice about the importance of strong CSP contracts that include privacy protections and apply increased security control and transparency for data handling. But I wonder how willing CSPs are to engage in these discussions? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?